1 Reply Latest reply on Jan 7, 2016 11:03 AM by rth67

    field match alarm - which device to apply?

    abhattacharjee

      Creating a field match alarm on Nitro. On the device tab we have option to roll out to ACE/ESM/ERC/ELM?

       

      My understating of event flow say that we can do it on ESM/ELM since ERC has already mapped all the fields and forwarded it to ESM. Anyone has any clarity on this?

       

        • 1. Re: field match alarm - which device to apply?
          rth67

          The "Field Match" alarm is used to make alerts faster than as "Internal Event Match" alarm. This was added in the 9.4.0 release.

           

          For instance, if your pull time from your ESM for Events & Flows, from your Devices (Receivers, APM, DSM, etc) is set to 10 minutes lets say, with an "Internal Event Match" alarm, the ESM will not fire the alert until the data is pulled from the Receiver and inserted in to the Database, so for a Critical event, you could have a 10+ minute lag before receiving the alert.

           

          If you choose the "Field Match" alarm, and select the specific data source (or Receiver that those type of data sources are on), as soon as the criteria on the "Condition" tab are met, the Receiver will forward those events immediately to the ESM to be populated in to the ESM database and trigger the alert, thus cutting your response time for critical alerts down significantly.

           

          The Field Match alarm also allows for simple correlation within the Alarm, something you used to have to do in a Correlation engine, which again cut-out lag time and increased alerting response times.

           

          From the 9.4.0 Release Notes:

          A new Field Match alarm condition has been added. It can match on multiple fields of an event, and triggers as soon as the device receives and parses the event (see Add a Field Match alarm). This alarm type supports Receivers, local Receiver-Enterprise Log Managers (ELMs), Receiver/ELM combos, ACEs, and Application Data Monitors (ADMs).

           

          The alarm condition that was previously called Field Match is now called Internal Event Match.